{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21719", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2026-04-13T02:53:42.375Z", "datePublished": "2026-04-17T04:33:17.708Z", "dateUpdated": "2026-04-17T04:33:17.708Z"}, "containers": {"cna": {"affected": [{"vendor": "CubeCart Limited", "product": "CubeCart", "versions": [{"version": "prior to 6.6.0", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "An OS command injection vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege to execute an arbitrary OS command."}], "problemTypes": [{"descriptions": [{"description": "Improper neutralization of special elements used in an OS command ('OS Command Injection')", "lang": "en-US", "cweId": "CWE-78", "type": "CWE"}]}], "references": [{"url": "https://community.cubecart.com/t/cubecart-6-6-0-released-the-biggest-update-in-years/62405"}, {"url": "https://jvn.jp/en/jp/JVN78422311/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_0": {"version": "3.0", "baseSeverity": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}}, {"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.6, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-04-17T04:33:17.708Z"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An OS command injection vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege to execute an arbitrary OS command."}], "id": "CVE-2026-21719", "lastModified": "2026-04-17T06:16:29.430", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "vultures@jpcert.or.jp", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "vultures@jpcert.or.jp", "type": "Secondary"}]}, "published": "2026-04-17T06:16:29.430", "references": [{"source": "vultures@jpcert.or.jp", "url": "https://community.cubecart.com/t/cubecart-6-6-0-released-the-biggest-update-in-years/62405"}, {"source": "vultures@jpcert.or.jp", "url": "https://jvn.jp/en/jp/JVN78422311/"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "vultures@jpcert.or.jp", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T06:51:24.211843+00:00", "value": {"mitigation_remediation": ["Upgrade CubeCart to version 6.6.0 or later, which removes the vulnerable input handling.", "Ensure that all administrative accounts use strong, unique passwords and, if possible, enable multi\u2011factor authentication to reduce the risk of credential compromise.", "Audit any custom modules or third\u2011party extensions for unvalidated system calls and remove or sanitize them before they can be executed by an administrator."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "CubeCart Limited\u2019s CubeCart product in all releases prior to version 6.6.0, including 6.5.x and earlier, is impacted. No specific patch version list is given, so any deployment earlier than 6.6.0 is vulnerable.", "description_and_impact": "An OS command injection flaw in CubeCart allows an attacker who can log in as an administrator to supply arbitrary input that is passed directly to the operating system. The flaw enables the execution of any command on the server, giving full control over the affected system and potentially compromising confidentiality, integrity, and availability.", "risk_and_exploitability": "The vulnerability has a CVSS score of 8.6, indicating high severity. The likelihood of exploitation is not quantified, and the vulnerability is not classified as a known exploited weakness in public repositories. The likely attack path requires an attacker to obtain administrative credentials or exploit an existing admin session, after which arbitrary OS commands can be executed. The absence of an application-layer restriction and the direct use of user input in system calls make exploitation straightforward for a qualified attacker."}}}}, "created": "2026-04-17T07:00:08.559199+00:00", "title": "Administratively Privileged OS Command Injection in CubeCart Before 6.6.0", "updated": "2026-04-17T07:00:08.559212+00:00", "vendors": []}